Wireshark-users: Re: [Wireshark-users] why HTTP PDU is not reassambled

From: "ronnie sahlberg" <ronniesahlberg@xxxxxxxxx>
Date: Wed, 20 Dec 2006 11:59:43 +0000
Please try latest svn of wireshark.
I have checked in a fix that makes "reassemble one more segment" work
for the rather unusual case (like your capture) when we need to do
this multiple times in a row for the same pdu.


Seems IIS didnt like your kerberos auth blob and just reset the connection :-)



On 12/19/06, ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote:
The request is complete yes.
The problem here is that HTTP is a very difficult protocol to do
reassembly for and is thus doing reassembly very differently to all
other protocols running over TCP.
When reassembl;ing the ASCII header which have no explicit length that
describes the header length the http dissector instead uses a special
"ask for one more segment at a time" when reassembling the header.
This special kind of reassembly does not work entirely for http
headers that span across more than two tcp segments. I.e. that asks
for "one more segment please" multiple times for the same header.

I may have a fix for this in the next few days.


On 12/16/06, Xiaoguang Liu <syslxg@xxxxxxxxx> wrote:
> Yes. I meant fram 8,9,10
>
> I think this HTTP request is completed. no more data is needed in
subsequent
> frame. We can see 0x0d0a0d0a at the end of frame 10.
>
> I am also wondering why web server reset the connection. but it should not
> do that no matter there some more frames to be recieve or not.  a possible
> reason is that the IIS application pool crushed after it recieved the HTTP
> request (frame 8-10).
>
> What I would like to understand is why Wireshark did not reassamble frame
> 8-10. What did it wait for?
>
>
>
>
> On 12/16/06, Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:
> >
> > On Fri, Dec 15, 2006 at 10:09:26PM +0800, Xiaoguang Liu wrote:
> >
> > > in the attachment, frame 7,8,9 shoud be a single HTTP request. Why
> > > wireshark did not reassamble them? Test on Version 0.99.5-SVN-20139
> > > (SVN Rev 20139), windows xp sp2. I do eanble all reasamble HTTP .....
> > > options.
> >
> > I believe you meant frames 8, 9, 10?  They are being reassembled as you
> > can see from [TCP segment of a reassembled PDU] in the info column.
> > However, as you stated the final reassembled HTTP packet never shows up.
> > My guess would be that more data is expected before it finishes the
> > reassembly, but instead the server resets the connection (RST in the
> > final frame of the capture).  Can you reproduce this problem again?
> >
> >
> > Steve
> > _______________________________________________
> > Wireshark-users mailing list
> > Wireshark-users@xxxxxxxxxxxxx
> > http://www.wireshark.org/mailman/listinfo/wireshark-users
> >
>
>